@@ -175,6 +175,42 @@ cperf_set_ops_security_ipsec(struct rte_crypto_op **ops,
*tsc_start += tsc_end_temp - tsc_start_temp;
}
+static void
+cperf_set_ops_security_tls(struct rte_crypto_op **ops,
+ uint32_t src_buf_offset __rte_unused,
+ uint32_t dst_buf_offset __rte_unused,
+ uint16_t nb_ops, void *sess,
+ const struct cperf_options *options,
+ const struct cperf_test_vector *test_vector,
+ uint16_t iv_offset __rte_unused, uint32_t *imix_idx,
+ uint64_t *tsc_start)
+{
+ const uint32_t test_buffer_size = options->test_buffer_size;
+ const uint32_t headroom_sz = options->headroom_sz;
+ const uint32_t segment_sz = options->segment_sz;
+ uint16_t i = 0;
+
+ RTE_SET_USED(imix_idx);
+ RTE_SET_USED(tsc_start);
+ RTE_SET_USED(test_vector);
+
+ for (i = 0; i < nb_ops; i++) {
+ struct rte_crypto_sym_op *sym_op = ops[i]->sym;
+ struct rte_mbuf *m = sym_op->m_src;
+
+ ops[i]->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ ops[i]->param1.tls_record.content_type = 0x17;
+ rte_security_attach_session(ops[i], sess);
+ sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] + src_buf_offset);
+
+ m->data_off = headroom_sz;
+ m->buf_len = segment_sz;
+ m->data_len = test_buffer_size;
+ m->pkt_len = test_buffer_size;
+
+ sym_op->m_dst = NULL;
+ }
+}
#endif
static void
@@ -755,6 +791,106 @@ create_ipsec_session(struct rte_mempool *sess_mp,
return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp);
}
+static void *
+create_tls_session(struct rte_mempool *sess_mp,
+ uint8_t dev_id,
+ const struct cperf_options *options,
+ const struct cperf_test_vector *test_vector,
+ uint16_t iv_offset)
+{
+ struct rte_crypto_sym_xform auth_xform = {0};
+ struct rte_crypto_sym_xform *crypto_xform;
+ struct rte_crypto_sym_xform xform = {0};
+
+ if (options->aead_algo != 0) {
+ /* Setup AEAD Parameters */
+ xform.type = RTE_CRYPTO_SYM_XFORM_AEAD;
+ xform.next = NULL;
+ xform.aead.algo = options->aead_algo;
+ xform.aead.op = options->aead_op;
+ xform.aead.iv.offset = iv_offset;
+ xform.aead.key.data = test_vector->aead_key.data;
+ xform.aead.key.length = test_vector->aead_key.length;
+ xform.aead.iv.length = test_vector->aead_iv.length;
+ xform.aead.digest_length = options->digest_sz;
+ xform.aead.aad_length = options->aead_aad_sz;
+ crypto_xform = &xform;
+ } else if (options->cipher_algo != 0 && options->auth_algo != 0) {
+ /* Setup Cipher Parameters */
+ xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+ xform.cipher.algo = options->cipher_algo;
+ xform.cipher.op = options->cipher_op;
+ xform.cipher.iv.offset = iv_offset;
+ xform.cipher.iv.length = test_vector->cipher_iv.length;
+ /* cipher different than null */
+ if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) {
+ xform.cipher.key.data = test_vector->cipher_key.data;
+ xform.cipher.key.length = test_vector->cipher_key.length;
+ } else {
+ xform.cipher.key.data = NULL;
+ xform.cipher.key.length = 0;
+ }
+
+ /* Setup Auth Parameters */
+ auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+ auth_xform.auth.algo = options->auth_algo;
+ auth_xform.auth.op = options->auth_op;
+ auth_xform.auth.iv.offset = iv_offset + xform.cipher.iv.length;
+ /* auth different than null */
+ if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) {
+ auth_xform.auth.digest_length = options->digest_sz;
+ auth_xform.auth.key.length = test_vector->auth_key.length;
+ auth_xform.auth.key.data = test_vector->auth_key.data;
+ auth_xform.auth.iv.length = test_vector->auth_iv.length;
+ } else {
+ auth_xform.auth.digest_length = 0;
+ auth_xform.auth.key.length = 0;
+ auth_xform.auth.key.data = NULL;
+ auth_xform.auth.iv.length = 0;
+ }
+
+ if (options->is_outbound) {
+ /* Currently supporting AUTH then Encrypt mode only for TLS. */
+ crypto_xform = &auth_xform;
+ auth_xform.next = &xform;
+ xform.next = NULL;
+ } else {
+ crypto_xform = &xform;
+ xform.next = &auth_xform;
+ auth_xform.next = NULL;
+ }
+ } else {
+ return NULL;
+ }
+
+ struct rte_security_tls_record_sess_options opts = {
+ .iv_gen_disable = 0,
+ .extra_padding_enable = 0,
+ };
+ struct rte_security_session_conf sess_conf = {
+ .action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+ {.tls_record = {
+ .ver = RTE_SECURITY_VERSION_TLS_1_2,
+ .options = opts,
+ } },
+ .userdata = NULL,
+ .crypto_xform = crypto_xform,
+ };
+ if (options->tls_version)
+ sess_conf.tls_record.ver = options->tls_version;
+
+ if (options->is_outbound)
+ sess_conf.tls_record.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE;
+ else
+ sess_conf.tls_record.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
+
+ void *ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+ /* Create security session */
+ return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp);
+}
+
static void *
cperf_create_session(struct rte_mempool *sess_mp,
uint8_t dev_id,
@@ -863,6 +999,11 @@ cperf_create_session(struct rte_mempool *sess_mp,
options, test_vector, iv_offset);
}
+ if (options->op_type == CPERF_TLS) {
+ return create_tls_session(sess_mp, dev_id,
+ options, test_vector, iv_offset);
+ }
+
if (options->op_type == CPERF_DOCSIS) {
enum rte_security_docsis_direction direction;
@@ -1089,6 +1230,9 @@ cperf_get_op_functions(const struct cperf_options *options,
case CPERF_IPSEC:
op_fns->populate_ops = cperf_set_ops_security_ipsec;
break;
+ case CPERF_TLS:
+ op_fns->populate_ops = cperf_set_ops_security_tls;
+ break;
#endif
default:
return -1;
@@ -55,6 +55,7 @@
#define CPERF_PDCP_SES_HFN_EN ("pdcp-ses-hfn-en")
#define PDCP_DEFAULT_HFN 0x1
#define CPERF_DOCSIS_HDR_SZ ("docsis-hdr-sz")
+#define CPERF_TLS_VERSION ("tls-version")
#endif
#define CPERF_CSV ("csv-friendly")
@@ -83,7 +84,8 @@ enum cperf_op_type {
CPERF_PDCP,
CPERF_DOCSIS,
CPERF_IPSEC,
- CPERF_ASYM_MODEX
+ CPERF_ASYM_MODEX,
+ CPERF_TLS,
};
extern const char *cperf_op_type_strs[];
@@ -134,6 +136,7 @@ struct cperf_options {
uint16_t pdcp_sdap;
enum rte_security_pdcp_domain pdcp_domain;
uint16_t docsis_hdr_sz;
+ enum rte_security_tls_version tls_version;
#endif
char device_type[RTE_CRYPTODEV_NAME_MAX_LEN];
enum cperf_op_type op_type;
@@ -36,8 +36,8 @@ usage(char *progname)
" --segment-sz N: set the size of the segment to use\n"
" --desc-nb N: set number of descriptors for each crypto device\n"
" --devtype TYPE: set crypto device type to use\n"
- " --optype cipher-only / auth-only / cipher-then-auth /\n"
- " auth-then-cipher / aead : set operation type\n"
+ " --optype cipher-only / auth-only / cipher-then-auth / auth-then-cipher /\n"
+ " aead / pdcp / docsis / ipsec / modex / tls-record : set operation type\n"
" --sessionless: enable session-less crypto operations\n"
" --out-of-place: enable out-of-place crypto operations\n"
" --test-file NAME: set the test vector file path\n"
@@ -67,6 +67,7 @@ usage(char *progname)
" --pdcp-ses-hfn-en: enable session based fixed HFN\n"
" --enable-sdap: enable sdap\n"
" --docsis-hdr-sz: set DOCSIS header size\n"
+ " --tls-version VER: set TLS VERSION <TLS1.2/TLS1.3/DTLS1.2>\n"
#endif
" -h: prints this help\n",
progname);
@@ -480,7 +481,11 @@ parse_op_type(struct cperf_options *opts, const char *arg)
{
cperf_op_type_strs[CPERF_ASYM_MODEX],
CPERF_ASYM_MODEX
- }
+ },
+ {
+ cperf_op_type_strs[CPERF_TLS],
+ CPERF_TLS
+ },
};
int id = get_str_key_id_mapping(optype_namemap,
@@ -732,6 +737,45 @@ parse_pdcp_domain(struct cperf_options *opts, const char *arg)
return 0;
}
+const char *cperf_tls_version_strs[] = {
+ [RTE_SECURITY_VERSION_TLS_1_2] = "TLS1.2",
+ [RTE_SECURITY_VERSION_TLS_1_3] = "TLS1.3",
+ [RTE_SECURITY_VERSION_DTLS_1_2] = "DTLS1.2"
+};
+
+static int
+parse_tls_version(struct cperf_options *opts, const char *arg)
+{
+ struct name_id_map tls_version_namemap[] = {
+ {
+ cperf_tls_version_strs
+ [RTE_SECURITY_VERSION_TLS_1_2],
+ RTE_SECURITY_VERSION_TLS_1_2
+ },
+ {
+ cperf_tls_version_strs
+ [RTE_SECURITY_VERSION_TLS_1_3],
+ RTE_SECURITY_VERSION_TLS_1_3
+ },
+ {
+ cperf_tls_version_strs
+ [RTE_SECURITY_VERSION_DTLS_1_2],
+ RTE_SECURITY_VERSION_DTLS_1_2
+ },
+ };
+
+ int id = get_str_key_id_mapping(tls_version_namemap,
+ RTE_DIM(tls_version_namemap), arg);
+ if (id < 0) {
+ RTE_LOG(ERR, USER1, "invalid TLS version specified\n");
+ return -1;
+ }
+
+ opts->tls_version = (enum rte_security_tls_version)id;
+
+ return 0;
+}
+
static int
parse_pdcp_ses_hfn_en(struct cperf_options *opts, const char *arg __rte_unused)
{
@@ -893,6 +937,7 @@ static struct option lgopts[] = {
{ CPERF_PDCP_SES_HFN_EN, no_argument, 0, 0 },
{ CPERF_ENABLE_SDAP, no_argument, 0, 0 },
{ CPERF_DOCSIS_HDR_SZ, required_argument, 0, 0 },
+ { CPERF_TLS_VERSION, required_argument, 0, 0 },
#endif
{ CPERF_CSV, no_argument, 0, 0},
@@ -1010,6 +1055,7 @@ cperf_opts_parse_long(int opt_idx, struct cperf_options *opts)
{ CPERF_PDCP_SES_HFN_EN, parse_pdcp_ses_hfn_en },
{ CPERF_ENABLE_SDAP, parse_enable_sdap },
{ CPERF_DOCSIS_HDR_SZ, parse_docsis_hdr_sz },
+ { CPERF_TLS_VERSION, parse_tls_version },
#endif
{ CPERF_CSV, parse_csv_friendly},
{ CPERF_PMDCC_DELAY_MS, parse_pmd_cyclecount_delay_ms},
@@ -1190,12 +1236,12 @@ cperf_options_check(struct cperf_options *options)
if (options->segment_sz == 0) {
options->segment_sz = options->max_buffer_size +
options->digest_sz;
- /* In IPsec operation, packet length will be increased
+ /* In IPsec and TLS operation, packet length will be increased
* by some bytes depend upon the algorithm, so increasing
* the segment size by headroom to cover most of
* the scenarios.
*/
- if (options->op_type == CPERF_IPSEC)
+ if (options->op_type == CPERF_IPSEC || options->op_type == CPERF_TLS)
options->segment_sz += RTE_PKTMBUF_HEADROOM;
}
@@ -1328,7 +1374,7 @@ cperf_options_check(struct cperf_options *options)
return -EINVAL;
}
- if (options->op_type == CPERF_IPSEC) {
+ if (options->op_type == CPERF_IPSEC || options->op_type == CPERF_TLS) {
if (options->aead_algo) {
if (options->aead_op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
options->is_outbound = 1;
@@ -1356,6 +1402,8 @@ cperf_options_dump(struct cperf_options *opts)
printf("#\n");
printf("# cperf test: %s\n", cperf_test_type_strs[opts->test]);
printf("#\n");
+ printf("# cperf operation type: %s\n", cperf_op_type_strs[opts->op_type]);
+ printf("#\n");
printf("# size of crypto op / mbuf pool: %u\n", opts->pool_sz);
printf("# total number of ops: %u\n", opts->total_ops);
if (opts->inc_buffer_size != 0) {
@@ -52,6 +52,7 @@ cperf_latency_test_free(struct cperf_latency_ctx *ctx)
#ifdef RTE_LIB_SECURITY
else if (ctx->options->op_type == CPERF_PDCP ||
ctx->options->op_type == CPERF_DOCSIS ||
+ ctx->options->op_type == CPERF_TLS ||
ctx->options->op_type == CPERF_IPSEC) {
void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id);
rte_security_session_destroy(sec_ctx, ctx->sess);
@@ -43,6 +43,7 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx)
#ifdef RTE_LIB_SECURITY
else if (ctx->options->op_type == CPERF_PDCP ||
ctx->options->op_type == CPERF_DOCSIS ||
+ ctx->options->op_type == CPERF_TLS ||
ctx->options->op_type == CPERF_IPSEC) {
void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id);
@@ -660,7 +660,7 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
t_vec->modex.elen = options->modex_data->exponent.len;
}
- if (options->op_type == CPERF_PDCP ||
+ if (options->op_type == CPERF_PDCP || options->op_type == CPERF_TLS ||
options->op_type == CPERF_IPSEC) {
if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
t_vec->cipher_key.length = 0;
@@ -795,7 +795,7 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
t_vec->auth_iv.length = options->auth_iv_sz;
}
- if (options->op_type == CPERF_AEAD ||
+ if (options->op_type == CPERF_AEAD || options->op_type == CPERF_TLS ||
options->op_type == CPERF_IPSEC) {
t_vec->aead_key.length = options->aead_key_sz;
t_vec->aead_key.data = aead_key;
@@ -47,6 +47,7 @@ cperf_verify_test_free(struct cperf_verify_ctx *ctx)
#ifdef RTE_LIB_SECURITY
else if (ctx->options->op_type == CPERF_PDCP ||
ctx->options->op_type == CPERF_DOCSIS ||
+ ctx->options->op_type == CPERF_TLS ||
ctx->options->op_type == CPERF_IPSEC) {
void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id);
@@ -43,7 +43,8 @@ const char *cperf_op_type_strs[] = {
[CPERF_PDCP] = "pdcp",
[CPERF_DOCSIS] = "docsis",
[CPERF_IPSEC] = "ipsec",
- [CPERF_ASYM_MODEX] = "modex"
+ [CPERF_ASYM_MODEX] = "modex",
+ [CPERF_TLS] = "tls-record"
};
const struct cperf_test cperf_testmap[] = {
@@ -236,6 +237,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
case CPERF_PDCP:
case CPERF_DOCSIS:
case CPERF_IPSEC:
+ case CPERF_TLS:
/* Fall through */
default:
conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
@@ -175,6 +175,8 @@ The following are the application command-line options:
pdcp
docsis
modex
+ ipsec
+ tls-record
For GCM/CCM algorithms you should use aead flag.
@@ -340,6 +342,10 @@ The following are the application command-line options:
Set modex length for asymmetric crypto perf test.
Supported lengths are 60, 128, 255, 448. Default length is 128.
+* ``--tls-version <TLS1.2/TLS1.3/DTLS1.2>``
+
+ Set TLS/DTLS protocol version for perf test (default is TLS1.2).
+
Test Vector File
~~~~~~~~~~~~~~~~